Hackers are exploiting a critical vulnerability in the User Registration & Membership plugin, which is installed on more than 60,000 WordPress sites.

Developed by WPEverest, the plugin provides membership and user registration management features, including custom forms, payment integrations with PayPal and Stripe, bank transfers, and analytics.

The security vulnerability is tracked as CVE-2026–1492 and received a critical severity rating of 9.8. Because the plugin accepts a user-supplied role during membership registration, hackers can create administrator accounts without authentication.